1. Create principals in the Kerberos database with kadmin.local.
Using kadmin.local in interactive mode, the following commands add users:
addprinc gpadmin/[email protected] addprinc postgres/[email protected]
The first addprinc command creates a Greenplum Database user as a principal.
In this example, the principal is gpadmin/kerberos-gpdb. See “Setting up Greenplum Database with Kerberos for PSQL” on page 118 for information on modifying the file pg_hba.conf so The Greenplum Database user
gpadmin/kerberos-gpdb uses Kerberos authentication to access Greenplum Database from the master host.
The second addprinc command creates the postgres process as principal in the Kerberos KDC. This principal is required when using Kerberos authentication with Greenplum Database. The syntax for the principal is
postgres/GPDB_master_host. The GPDB_master_host is the host name of the Greenplum Database master.
2. Create a Kerberos keytab file with kadmin.local. The following example creates a keytab file gpdb-kerberos.keytab with authentication information for the two principals.
xst -k gpdb-kerberos.keytab
gpadmin/[email protected] postgres/[email protected]
You use the keytab file gpdb-kerberos.keytab on the Greenplum Database master.
Installing and Configuring the Kerberos Client
Install the Kerberos client libraries on the Greenplum Database master and configure the Kerberos client:
1. Install the Kerberos packages on the Greenplum Database master.
krb5-libs
krb5-workstation
2. Ensure that the /etc/krb5.conf file is the same as the one that is on the Kerberos server.
3. Copy the gpdb-kerberos.keytab that was generated on the Kerberos server to Greenplum Database master.
4. Remove any existing tickets with the Kerberos utility kdestroy. As root, run the utility.
# kdestroy
5. Use the Kerberos utility kinit to request a ticket using the keytab file on the Greenplum Database master for
gpadmin/[email protected]. The -t option specifies the keytab file on the Greenplum Database master.
# kinit -k -t gpdb-kerberos.keytab gpadmin/[email protected]
Installing and Configuring the Kerberos Client 118
Use the Kerberos utility klist to display the contents of the Kerberos ticket cache on the Greenplum Database master. The following is example klist output:
# klist
Ticket cache: FILE:/tmp/krb5cc_108061
Default principal: gpadmin/[email protected] Valid starting Expires Service principal
03/28/13 14:50:26 03/29/13 14:50:26 krbtgt/KRB.GREENPLUM.COM @KRB.GREENPLUM.COM
renew until 03/28/13 14:50:26
Setting up Greenplum Database with Kerberos for PSQL After you have set up Kerberos on the Greenplum Database master, you can configure a Greenplum database to use Kerberos. For information on setting up the Greenplum Database master, see “Installing and Configuring the Kerberos Client” on page 117.
1. Create a Greenplum Database administrator role in the database template1 for the Kerberos principal that is used as the database administrator. The following example uses gpamin/kerberos-gpdb.
psql template1 -c 'create role "gpadmin/kerberos-gpdb" login superuser;'
Note: The role you create in the database template1 will be available in any new Greenplum database that you create.
2. Modify postgresql.conf to specify the location of the keytab file. For example, adding this line to the postgresql.conf specifies the folder /home/gpadmin as the location of the keytab file gpdb-kerberos.keytab.
krb_server_keyfile = '/home/gpadmin/gpdb-kerberos.keytab' 3. Modify the Greenplum Database file pg_hba.conf to enable Kerberos support.
Then restart Greenplum Database (gpstop -ar). For example, adding the following line to pg_hba.conf adds GSSAPI and Kerberos support. The value for krb_realm is the Kerberos realm that is used for authentication to Greenplum Database.
host all all 0.0.0.0/0 gss include_realm=0 krb_realm=KRB.GREENPLUM.COM For information about the pg_hba.conf file, see the Postgres documentation:
http://www.postgresql.org/docs/8.4/static/auth-pg-hba-conf.html
4. Create a ticket using kinit and show the tickets in the Kerberos ticket cache with klist.
5. As a test, login into the database as the gpadmin role with the Kerberos credentials gpadmin/kerberos-gpdb:
psql -U "gpadmin/kerberos-gpdb" -h master.test template1
Installing and Configuring the Kerberos Client 119 Notes
• A username map can be defined in the pg_ident.conf file and specified in the pg_hba.conf file to simplify logging into Greenplum Database. For example, this psql command logs into the default Greenplum Database on mdw.proddb as the Kerberos principal adminuser/mdw.proddb:
$ psql -U "adminuser/mdw.proddb" -h mdw.proddb
If the default user is adminuser, the pg_ident.conf file and the pg_hba.conf file can be configured so that the adminuser can log into the database as the Kerberos principal adminuser/mdw.proddb without specifying the -U option:
$ psql -h mdw.proddb
The following username map is defined in the Greenplum Database file
$MASTER_DATA_DIRECTORY/pg_ident.conf:
# MAPNAME SYSTEM-USERNAME GP-USERNAME mymap /^(.*)mdw\.proddb$ adminuser
The map can be specified in the pg_hba.conf file as part of the line that enables Kerberos support:
host all all 0.0.0.0/0 krb5 include_realm=0 krb_realm=proddb map=mymap
For more information on specifying username maps see the Postgres documentation:
http://www.postgresql.org/docs/8.4/static/auth-username-maps.html
• If a Kerberos principal is not a Greenplum Database user, a message is similar to the following is displayed from the psql command line when the user attempts to log into the database:
psql: krb5_sendauth: Bad response
The principal must be added as a Greenplum Database user.
Setting up Greenplum Database with Kerberos for JDBC You can configure Greenplum Database to use Kerberos to run user-defined Java functions.
1. Ensure that a Kerberos is installed and configured on the Greenplum Database master. See “Installing and Configuring the Kerberos Client” on page 117.
2. Create the file .java.login.config in the folder /home/gpadmin and add the following text to the file:
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true
useTicketCache=true debug=true
client=true;
};